Traffic capturing with Cisco PIX/ASA
Written by Maxim Klimanov
On our site articles devoted to traffic capturing appear with admirable regularity. We decided not to break this practice and present to our readers new material devoted to traffic capturing with the help of hardware tools. As a hardware platform this time we’ve chosen a hardware firewall Cisco PIX. The described functionality is also supported by Cisco ASA line which replaced the PIX series. We are not going to study all capturing capabilities of the network operational system and point at the situations where a system administrator may need this functionality. We are sure the readers will perfectly well find application for this material. We also think it worth mentioning that all data and examples are presented here for educational purposes only. Now, to business!
For our testing purposes we used Cisco PIX 515 firewall with three Fast Ethernet interfaces the parameters of which are presented below.
Hardware: PIX-515, 128 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
Cisco PIX Security Appliance Software Version 8.0(4)
In the privileged mode of the firewall’s console, the user can take advantage of the capture command. A detailed description of all abilities of this command is available at the manufacturer’s website.
pix515# ?
aaa-server Specify a AAA server
activation-key Modify activation-key
asdm Disconnect a specific ASDM session
blocks Set block diagnostic parameters
capture Capture inbound and outbound packets on one or
more interfaces
cd Change current directory
clear Reset functions
client-update Execute client updates on all or specific
tunnel-groups
clock Manage the system clock
configure Configure using various methods
copy Copy from one file to another
cpu general CPU stats collection tools
crashinfo Crash information
crypto Execute crypto Commands
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Exit from privileged mode
downgrade Downgrade the file system and reboot
dynamic-access-policy-config Activates the DAP selection configuration file.
eou EAPoUDP
erase Erase a filesystem
<--- More --->
The first thing to do is to set a name for the capture we are about to make. After setting the name one should specify the interface on which capturing is going to be performed. If you don’t do this, capturing itself will seem quite real but data won’t go to the capture buffer. One can filter the data to save either with the help of a pre-configured access-list or manually setting network traffic filtering criteria.
pix515# capture ?
WORD Capture name
pix515# capture test ?
access-list Capture packets that match access-list
buffer Configure size of capture buffer, default is 512 KB
circular-buffer Overwrite buffer from beginning when full, default is
non-circular
ethernet-type Capture Ethernet packets of a particular type, default is IP
headers-only Capture only L2, L3 and L4 headers of packet without data in
them
interface Capture packets on a specific interface
match Capture packets matching five-tuple
packet-length Configure maximum length to save from each packet, default
is 68 bytes
real-time Display captured packets in real-time. Warning: using this
option with a slow console connection may result in an
excessive amount of non-displayed packets due to performance
limitations.
trace Trace the captured packets
type Capture packets based on a particular type
<cr>
pix515# capture test interface ?
Available interfaces to listen:
inside Name of interface Ethernet1
outside Name of interface Ethernet0
Let’s try to capture all ICMP-traffic which goes from any host to any host passing through the inside firewall interface. For this we will use the command below.
capture test interface inside match icmp any any
As soon as the call is made, the firewall begins saving data packets that satisfy the condition into the buffer. You can check it with the show capture command. The buffer size may be configured via the buffer parameter in the capture command. You can also use circular buffer with the help of the circular-buffer parameter.
pix515# show capture
capture test type raw-data interface inside [Capturing - 30780 bytes]
match icmp any any
If you need to look at the captured data, you can specify the call show capture by setting the name of the capture in question.
pix515# sho capture test
522 packets captured
1: 21:24:38.629087 192.168.1.2 > 192.168.1.1: icmp: echo request
2: 21:24:38.630765 192.168.1.1 > 192.168.1.2: icmp: echo reply
3: 21:24:39.630109 192.168.1.2 > 192.168.1.1: icmp: echo request
4: 21:24:39.631665 192.168.1.1 > 192.168.1.2: icmp: echo reply
One can not only look through general information about the packets but their content as well.
pix515# sho capture test dump
522 packets captured
1: 21:24:38.629087 192.168.1.2 > 192.168.1.1: icmp: echo request
0x0000 4500 003c 12a7 0000 7e01 9781 ac11 2324 E..<....~.....#$
0x0010 c0a8 02bb 0800 35cb 0001 1790 6162 6364 ......5.....abcd
0x0020 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030 7576 7761 6263 6465 6667 6869 uvwabcdefghi
2: 21:24:38.630765 192.168.1.1 > 192.168.1.2: icmp: echo reply
0x0000 4500 003c 4656 0000 ff01 e2d1 c0a8 02bb E..<FV..........
0x0010 ac11 2324 0000 3dcb 0001 1790 6162 6364 ..#$..=.....abcd
0x0020 6566 6768 696a 6b6c 6d6e 6f70 7172 7374 efghijklmnopqrst
0x0030 7576 7761 6263 6465 6667 6869 uvwabcdefghi
In the case when one needs saving the capture results, one can do so by copying them to a flash or to transmit them by the net straightaway to FTP or TFTP servers. In the listing below we first save data to a flash and then copy this file to an FTP-server running on a computer with 192.168.1.1 IP-address where there is a user admin with the password admin.
pix515# sho fla
Directory of flash:/
4 -rw- 7538688 18:01:44 May 09 2009 pix804.bin
7 -rw- 10101 01:40:46 May 24 2009 pix515-2_conf_20090523
9 -rw- 19369 03:58:47 May 24 2009 pix515-1_conf_20090523
15998976 bytes total (8401920 bytes free)
pix515# copy /pcap capture:/test flash:/test
Source capture name [test]?
Destination filename [test]?
!!!!
222 packets copied in 0.280 secs
pix515# sho fla
Directory of flash:/
4 -rw- 7538688 18:01:44 May 09 2009 pix804.bin
7 -rw- 10101 01:40:46 May 24 2009 pix515-2_conf_20090523
9 -rw- 19369 03:58:47 May 24 2009 pix515-1_conf_20090523
12 -rw- 15579 23:05:37 Apr 15 2010 test
15998976 bytes total (8386048 bytes free)
pix515# copy flash:/test ftp:// admin: This e-mail address is being protected from spambots. You need JavaScript enabled to view it .1.2
Source filename [test]?
Address or name of remote host [192.168.1.2]?
Destination username [admin]?
Destination password [admin]?
Destination filename [test]?
!!!!!
15579 bytes copied in 0.250 secs
In the listing above one should pay special attention to the /pcap parameter which was set while copying from the capture to the flash as it is by setting this parameter that data are copied in the format compatible with TCPdump and Wireshark utilities, otherwise data will be copied in the text format.
Having taken the test file from the FTP-server, we opened it in Wireshark for further analysis. This “analysis” may be, for example, recovering voice from captured RTP-streams.
It is possible to stop capturing with the no capture name command where name is the name of the capture.
Here the brief overview of the capturing capabilities of Cisco PIX/ASA comes to an end.
